Merge branch 'var-file' into 'main'

Support var_file input in all templates

See merge request components/opentofu!160

src/gitlab-tofu.sh

@@ -204,6 +204,11 @@ if [ $sourced -eq 0 ]; then
   # Authenticate to private registry
   terraform_authenticate_private_registry
 
+  var_file_args=""
+  if [ -n "${OPENTOFU_COMPONENT_VAR_FILE}" ]; then
+    var_file_args="--var-file=${OPENTOFU_COMPONENT_VAR_FILE}"
+  fi
+
   case "${1}" in
     "apply")
       auto_approve_args=""
@@ -215,7 +220,8 @@ if [ $sourced -eq 0 ]; then
       if [ "$TF_APPLY_NO_PLAN" = false ]; then
         tofu "${TF_CHDIR_OPT}" "${@}" -input=false "${auto_approve_args}" "${TF_PLAN_CACHE}"
       else
-        tofu "${TF_CHDIR_OPT}" "${@}" -input=false "${auto_approve_args}"
+        # shellcheck disable=SC2086
+        tofu "${TF_CHDIR_OPT}" "${@}" -input=false "${auto_approve_args}" ${var_file_args}
       fi
     ;;
     "destroy")
@@ -232,7 +238,8 @@ if [ $sourced -eq 0 ]; then
     ;;
     "plan")
       $TF_IMPLICIT_INIT && terraform_init
-      tofu "${TF_CHDIR_OPT}" "${@}" -input=false -out="${TF_PLAN_CACHE}"
+      # shellcheck disable=SC2086
+      tofu "${TF_CHDIR_OPT}" "${@}" -input=false -out="${TF_PLAN_CACHE}" ${var_file_args}
     ;;
     "plan-json")
       tofu "${TF_CHDIR_OPT}" show -json "${TF_PLAN_CACHE}" | \
@@ -241,15 +248,18 @@ if [ $sourced -eq 0 ]; then
     ;;
     "validate")
       $TF_IMPLICIT_INIT && terraform_init -backend=false
-      tofu "${TF_CHDIR_OPT}" "${@}"
+      # shellcheck disable=SC2086
+      tofu "${TF_CHDIR_OPT}" "${@}" ${var_file_args}
     ;;
     "test")
       $TF_IMPLICIT_INIT && terraform_init -backend=false
-      tofu "${TF_CHDIR_OPT}" "${@}"
+      # shellcheck disable=SC2086
+      tofu "${TF_CHDIR_OPT}" "${@}" ${var_file_args}
     ;;
     "graph")
       $TF_IMPLICIT_INIT && terraform_init
-      tofu "${TF_CHDIR_OPT}" "${@}"
+      # shellcheck disable=SC2086
+      tofu "${TF_CHDIR_OPT}" "${@}" ${var_file_args}
     ;;
     --)
       shift

templates/apply.yml

@@ -84,6 +84,10 @@ spec:
       default: false
       type: boolean
       description: 'Whether the apply job is manual or automatically run.'
+    var_file:
+      default: ''
+      type: string
+      description: 'Path to a variables files relative to root_dir. Only used if no_plan is true otherwise the variables are coming from the plan.'
 
 ---
 
@@ -108,6 +112,7 @@ spec:
     TF_STATE_NAME: $[[ inputs.state_name ]]
     TF_APPLY_NO_PLAN: $[[ inputs.no_plan ]]
     TF_PLAN_NAME: $[[ inputs.plan_name ]]
+    OPENTOFU_COMPONENT_VAR_FILE: '$[[ inputs.var_file ]]'
   image:
     name: '$[[ inputs.image_registry_base ]]/$[[ inputs.image_name ]]:$[[ inputs.version ]]-opentofu$[[ inputs.opentofu_version ]]-$[[ inputs.base_os ]]$[[ inputs.image_digest ]]$[[ inputs.image_digest ]]'
   script:

templates/destroy.yml

@@ -84,6 +84,10 @@ spec:
       default: false
       type: boolean
       description: 'Whether the destroy job is manual or automatically run.'
+    var_file:
+      default: ''
+      type: string
+      description: 'Path to a variables files relative to root_dir. Only used if no_plan is true otherwise the variables are coming from the plan.'
 
 ---
 
@@ -107,6 +111,7 @@ spec:
     TF_STATE_NAME: $[[ inputs.state_name ]]
     TF_APPLY_NO_PLAN: $[[ inputs.no_plan ]]
     TF_PLAN_NAME: $[[ inputs.plan_name ]]
+    OPENTOFU_COMPONENT_VAR_FILE: '$[[ inputs.var_file ]]'
   image:
     name: '$[[ inputs.image_registry_base ]]/$[[ inputs.image_name ]]:$[[ inputs.version ]]-opentofu$[[ inputs.opentofu_version ]]-$[[ inputs.base_os ]]$[[ inputs.image_digest ]]'
   script:

templates/full-pipeline.yml

@@ -96,6 +96,10 @@ spec:
     plan_artifacts_access:
       default: 'none'
       description: 'Access level for the plan artifact. See https://docs.gitlab.com/ee/ci/yaml/#artifactsaccess for possible values.'
+    var_file:
+      default: ''
+      type: string
+      description: 'Path to a variables files relative to root_dir.'
 
 ---
 
@@ -123,6 +127,7 @@ include:
       image_digest: $[[ inputs.image_digest ]]
       root_dir: $[[ inputs.root_dir ]]
       state_name: $[[ inputs.state_name ]]
+      var_file: $[[ inputs.var_file ]]
   - local: '/templates/test.yml'
     inputs:
       as: '$[[ inputs.job_name_prefix ]]test'
@@ -135,6 +140,7 @@ include:
       image_digest: $[[ inputs.image_digest ]]
       root_dir: $[[ inputs.root_dir ]]
       state_name: $[[ inputs.state_name ]]
+      var_file: $[[ inputs.var_file ]]
     rules:
       - exists:
           - $[[ inputs.root_dir ]]/**/*.tftest.hcl
@@ -151,6 +157,7 @@ include:
       root_dir: $[[ inputs.root_dir ]]
       state_name: $[[ inputs.state_name ]]
       artifacts_access: $[[ inputs.plan_artifacts_access ]]
+      var_file: $[[ inputs.var_file ]]
   - local: '/templates/apply.yml'
     inputs:
       as: '$[[ inputs.job_name_prefix ]]apply'
@@ -164,6 +171,7 @@ include:
       root_dir: $[[ inputs.root_dir ]]
       state_name: $[[ inputs.state_name ]]
       auto_apply: $[[ inputs.auto_apply ]]
+      var_file: $[[ inputs.var_file ]]
   - local: '/templates/destroy.yml'
     inputs:
       as: '$[[ inputs.job_name_prefix ]]destroy'
@@ -177,6 +185,7 @@ include:
       root_dir: $[[ inputs.root_dir ]]
       state_name: $[[ inputs.state_name ]]
       auto_destroy: $[[ inputs.auto_destroy ]]
+      var_file: $[[ inputs.var_file ]]
   - local: '/templates/delete-state.yml'
     inputs:
       as: '$[[ inputs.job_name_prefix ]]delete-state'

templates/graph.yml

@@ -78,6 +78,10 @@ spec:
       description: |
         Name of the graph file that should be generated.
         It will be uploaded as an artifact.
+    var_file:
+      default: ''
+      type: string
+      description: 'Path to a variables files relative to root_dir.'
 
 ---
 
@@ -93,6 +97,7 @@ spec:
     __CACHE_KEY_HACK: "$[[ inputs.root_dir ]]"
     TF_ROOT: $[[ inputs.root_dir ]]
     TF_STATE_NAME: $[[ inputs.state_name ]]
+    OPENTOFU_COMPONENT_VAR_FILE: '$[[ inputs.var_file ]]'
   image:
     name: '$[[ inputs.image_registry_base ]]/$[[ inputs.image_name ]]:$[[ inputs.version ]]-opentofu$[[ inputs.opentofu_version ]]-$[[ inputs.base_os ]]$[[ inputs.image_digest ]]'
   script:

templates/job-templates.yml

@@ -93,6 +93,10 @@ spec:
       default: false
       type: boolean
       description: 'Whether the destroy job is manual or automatically run.'
+    var_file:
+      default: ''
+      type: string
+      description: 'Path to a variables files relative to root_dir.'
 
 ---
 
@@ -120,6 +124,7 @@ include:
       image_digest: $[[ inputs.image_digest ]]
       root_dir: $[[ inputs.root_dir ]]
       state_name: $[[ inputs.state_name ]]
+      var_file: $[[ inputs.var_file ]]
   - local: '/templates/graph.yml'
     inputs:
       as: '$[[ inputs.job_name_prefix ]]graph'
@@ -130,6 +135,7 @@ include:
       image_registry_base: $[[ inputs.image_registry_base ]]
       image_name: $[[ inputs.image_name ]]
       root_dir: $[[ inputs.root_dir ]]
+      var_file: $[[ inputs.var_file ]]
   - local: '/templates/test.yml'
     inputs:
       as: '$[[ inputs.job_name_prefix ]]test'
@@ -142,6 +148,7 @@ include:
       image_digest: $[[ inputs.image_digest ]]
       root_dir: $[[ inputs.root_dir ]]
       state_name: $[[ inputs.state_name ]]
+      var_file: $[[ inputs.var_file ]]
   - local: '/templates/plan.yml'
     inputs:
       as: '$[[ inputs.job_name_prefix ]]plan'
@@ -154,6 +161,7 @@ include:
       image_digest: $[[ inputs.image_digest ]]
       root_dir: $[[ inputs.root_dir ]]
       state_name: $[[ inputs.state_name ]]
+      var_file: $[[ inputs.var_file ]]
   - local: '/templates/apply.yml'
     inputs:
       as: '$[[ inputs.job_name_prefix ]]apply'
@@ -167,6 +175,7 @@ include:
       root_dir: $[[ inputs.root_dir ]]
       state_name: $[[ inputs.state_name ]]
       auto_apply: $[[ inputs.auto_apply ]]
+      var_file: $[[ inputs.var_file ]]
   - local: '/templates/destroy.yml'
     inputs:
       as: '$[[ inputs.job_name_prefix ]]destroy'
@@ -180,6 +189,7 @@ include:
       root_dir: $[[ inputs.root_dir ]]
       state_name: $[[ inputs.state_name ]]
       auto_destroy: $[[ inputs.auto_destroy ]]
+      var_file: $[[ inputs.var_file ]]
   - local: '/templates/delete-state.yml'
     inputs:
       as: '$[[ inputs.job_name_prefix ]]delete-state'

templates/plan.yml

@@ -83,6 +83,10 @@ spec:
     artifacts_access:
       default: 'none'
       description: 'Access level for the plan artifact. See https://docs.gitlab.com/ee/ci/yaml/#artifactsaccess for possible values.'
+    var_file:
+      default: ''
+      type: string
+      description: 'Path to a variables files relative to root_dir.'
 
 ---
 
@@ -117,6 +121,7 @@ spec:
     TF_ROOT: $[[ inputs.root_dir ]]
     TF_STATE_NAME: $[[ inputs.state_name ]]
     TF_PLAN_NAME: $[[ inputs.plan_name ]]
+    OPENTOFU_COMPONENT_VAR_FILE: '$[[ inputs.var_file ]]'
   image:
     name: '$[[ inputs.image_registry_base ]]/$[[ inputs.image_name ]]:$[[ inputs.version ]]-opentofu$[[ inputs.opentofu_version ]]-$[[ inputs.base_os ]]$[[ inputs.image_digest ]]'
   script:

templates/test.yml

@@ -73,6 +73,10 @@ spec:
     state_name:
       default: default
       description: 'Remote OpenTofu state name.'
+    var_file:
+      default: ''
+      type: string
+      description: 'Path to a variables files relative to root_dir.'
 
 ---
 
@@ -93,6 +97,7 @@ spec:
     __CACHE_KEY_HACK: "$[[ inputs.root_dir ]]"
     TF_ROOT: $[[ inputs.root_dir ]]
     TF_STATE_NAME: $[[ inputs.state_name ]]
+    OPENTOFU_COMPONENT_VAR_FILE: '$[[ inputs.var_file ]]'
   image:
     name: '$[[ inputs.image_registry_base ]]/$[[ inputs.image_name ]]:$[[ inputs.version ]]-opentofu$[[ inputs.opentofu_version ]]-$[[ inputs.base_os ]]$[[ inputs.image_digest ]]'
   script:

templates/validate-plan-apply.yml

@@ -86,6 +86,10 @@ spec:
     plan_artifacts_access:
       default: 'none'
       description: 'Access level for the plan artifact. See https://docs.gitlab.com/ee/ci/yaml/#artifactsaccess for possible values.'
+    var_file:
+      default: ''
+      type: string
+      description: 'Path to a variables files relative to root_dir.'
 
 ---
 
@@ -113,6 +117,7 @@ include:
       image_digest: $[[ inputs.image_digest ]]
       root_dir: $[[ inputs.root_dir ]]
       state_name: $[[ inputs.state_name ]]
+      var_file: $[[ inputs.var_file ]]
   - local: '/templates/plan.yml'
     inputs:
       as: '$[[ inputs.job_name_prefix ]]plan'
@@ -126,6 +131,7 @@ include:
       root_dir: $[[ inputs.root_dir ]]
       state_name: $[[ inputs.state_name ]]
       artifacts_access: $[[ inputs.plan_artifacts_access ]]
+      var_file: $[[ inputs.var_file ]]
   - local: '/templates/apply.yml'
     inputs:
       as: '$[[ inputs.job_name_prefix ]]apply'
@@ -139,3 +145,4 @@ include:
       root_dir: $[[ inputs.root_dir ]]
       state_name: $[[ inputs.state_name ]]
       auto_apply: $[[ inputs.auto_apply ]]
+      var_file: $[[ inputs.var_file ]]

templates/validate-plan-destroy.yml

@@ -89,6 +89,10 @@ spec:
       default: false
       type: boolean
       description: 'Whether the destroy job is manual or automatically run.'
+    var_file:
+      default: ''
+      type: string
+      description: 'Path to a variables files relative to root_dir.'
 
 ---
 
@@ -116,6 +120,7 @@ include:
       image_digest: $[[ inputs.image_digest ]]
       root_dir: $[[ inputs.root_dir ]]
       state_name: $[[ inputs.state_name ]]
+      var_file: $[[ inputs.var_file ]]
   - local: '/templates/plan.yml'
     inputs:
       as: '$[[ inputs.job_name_prefix ]]plan'
@@ -131,6 +136,7 @@ include:
       plan_name: $[[ inputs.plan_name ]]
       artifacts_access: $[[ inputs.plan_artifacts_access ]]
       destroy: true
+      var_file: $[[ inputs.var_file ]]
   - local: '/templates/destroy.yml'
     inputs:
       as: '$[[ inputs.job_name_prefix ]]destroy'
@@ -146,6 +152,7 @@ include:
       no_plan: false
       plan_name: $[[ inputs.plan_name ]]
       auto_destroy: $[[ inputs.auto_destroy ]]
+      var_file: $[[ inputs.var_file ]]
   - local: '/templates/delete-state.yml'
     inputs:
       as: '$[[ inputs.job_name_prefix ]]delete-state'

templates/validate-plan.yml

@@ -79,6 +79,10 @@ spec:
     artifacts_access:
       default: 'none'
       description: 'Access level for the plan artifact. See https://docs.gitlab.com/ee/ci/yaml/#artifactsaccess for possible values.'
+    var_file:
+      default: ''
+      type: string
+      description: 'Path to a variables files relative to root_dir.'
 
 ---
 
@@ -106,6 +110,7 @@ include:
       image_digest: $[[ inputs.image_digest ]]
       root_dir: $[[ inputs.root_dir ]]
       state_name: $[[ inputs.state_name ]]
+      var_file: $[[ inputs.var_file ]]
   - local: '/templates/plan.yml'
     inputs:
       as: '$[[ inputs.job_name_prefix ]]plan'
@@ -119,3 +124,4 @@ include:
       root_dir: $[[ inputs.root_dir ]]
       state_name: $[[ inputs.state_name ]]
       artifacts_access: $[[ inputs.artifacts_access ]]
+      var_file: $[[ inputs.var_file ]]

templates/validate.yml

@@ -73,6 +73,10 @@ spec:
     state_name:
       default: default
       description: 'Remote OpenTofu state name.'
+    var_file:
+      default: ''
+      type: string
+      description: 'Path to a variables files relative to root_dir.'
 
 ---
 
@@ -93,6 +97,7 @@ spec:
     TF_ROOT: $[[ inputs.root_dir ]]
     TF_STATE_NAME: $[[ inputs.state_name ]]
     TF_IGNORE_INIT_ERRORS: 'true' # Tofu can report errors which might be the reason init failed.
+    OPENTOFU_COMPONENT_VAR_FILE: '$[[ inputs.var_file ]]'
   image:
     name: '$[[ inputs.image_registry_base ]]/$[[ inputs.image_name ]]:$[[ inputs.version ]]-opentofu$[[ inputs.opentofu_version ]]-$[[ inputs.base_os ]]$[[ inputs.image_digest ]]'
   script:

tests/iac/main.tf

@@ -7,11 +7,20 @@ resource "local_file" "foo" {
   filename = "${path.module}/foo.bar"
 }
 
-variable "CI_PROJECT_NAME" {
+variable "ci_project_name" {
   type    = string
   default = "default"
 }
 
+variable "test_variable" {
+  type    = string
+  default = "default value"
+}
+
 output "project_name" {
-  value = var.CI_PROJECT_NAME
+  value = var.ci_project_name
+}
+
+output "test_variable" {
+  value = var.test_variable
 }

tests/iac/varfile.integration-test.tfvars

+test_variable = "varfile integration test"

tests/integration-tests/VarFile.gitlab-ci.yml

+include:
+  - component: $CI_SERVER_FQDN/$CI_PROJECT_PATH/full-pipeline@$CI_COMMIT_SHA
+    inputs:
+      image_registry_base: $GITLAB_OPENTOFU_IMAGE_BASE
+      version: $CI_COMMIT_SHA
+      base_os: $GITLAB_OPENTOFU_BASE_IMAGE_OS
+      opentofu_version: $OPENTOFU_VERSION
+      root_dir: $TEST_TF_ROOT
+      state_name: $TEST_TF_STATE_NAME
+      var_file: varfile.integration-test.tfvars
+
+stages: [validate, test, build, deploy, cleanup]
+
+# Required to run everything immediately, instead of manually.
+
+fmt:
+  rules: [{when: always}]
+
+validate:
+  rules: [{when: always}]
+
+test:
+  rules: [{when: always}]
+
+plan:
+  rules: [{when: always}]
+
+apply:
+  rules: [{when: always}]
+
+destroy:
+  rules: [{when: always}]
+
+delete-state:
+  rules: [{when: always}]
+

tests/integration.gitlab-ci.yml

@@ -15,6 +15,7 @@ component:
           - TestJob
           - ModuleRelease
           - Destroy
+          - VarFile
         GITLAB_OPENTOFU_BASE_IMAGE_OS:
           - alpine
           - debian